Alpine: libcurl, multiple curl packages: security update to 7.64.0-r0

critical Tenable Self-Hosted Container Security Plugin ID 423819

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The
function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not
validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow,
a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that
would lead to a buffer read out-of-bounds. (CVE-2018-16890)

- dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode
parameters. (CVE-2018-16980)

- libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The
function creating an outgoing NTLM type-3 header
(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents
based on previously received data. The check that exists to prevent the local buffer from getting
overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from
happening. This output data can grow larger than the local buffer if very large 'nt response' data is
extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large
value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes
from the NTLMv2 type-2 response header. (CVE-2019-3822)

- libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code
handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and
contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads
beyond the allocated buffer. The read contents will not be returned to the caller. (CVE-2019-3823)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-16890

https://security.alpinelinux.org/vuln/CVE-2018-16980

https://security.alpinelinux.org/vuln/CVE-2019-3822

https://security.alpinelinux.org/vuln/CVE-2019-3823

Plugin Details

Severity: Critical

ID: 423819

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-3822

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/12/2018

Reference Information

CVE: CVE-2018-16890, CVE-2018-16980, CVE-2019-3822, CVE-2019-3823

BID: 106947, 106950